How It Is

Don’t You Give That Girl a Gun

When people insist on doing things that will hurt their site, how far does it go?

His WordPress site was hacked.

He’d reported it as a ‘slow site’ and the techs had done an amazing job helping him clean it up, but when it landed in my lap, I took one look at saw backdoors, permissions issues, and vulnerabilities galore. So I did the reasonable, responsible, fair thing. I reinstalled the files, I cleaned up the plugins, and then I saw his theme was behind a paywall, old, and, worse, no longer supported. So I removed the theme from his website (putting it where he could get it back) and switched him to Twenty Fourteen. Then I explained in a rather long email about how his site was hacked, how I determined it, and what he needed to do to get the theme back (basically download it again from the vendor).

He was mad.

He argued that I had broken his site and it no longer looked right. This was true. He complained that my service was deplorable because his site looked wrong. This is debatable. He groused that I had to put the theme back. This was not going to happen.

old fashioned rifle on a wall

It’s the service conundrum. If you know something’s wrong, do you leave it alone or do you fix it? When I see people post their passwords in public places, I delete them and use bold and italics to chastise them. When I see people doing dangerous things like editing core, I do the same. I try really hard to educate and warn people, so they can be protected from shooting their own foot off. So when I have a rabid customer telling me I need to let them do it … I don’t.

My job is really to help people fix their sites, and that tends to mean my job is to debug and educate and provide options. But when someone has an abjectly wrong bit of code, like the bevy of people who had their old themes and plugins break when we upgraded them from PHP 5.2 to 5.4, I will regularly go that extra mile and fix the code. That doesn’t mean I don’t educate them, they usually get a quick lecture about why we upgrade promptly, but when someone’s that far off normal that their code won’t work on PHP 5.3, I assume they just don’t know anything.

The worst part about it, though, is when they argue. They’ve asked you for help and advice, you provide it, they demand you fix it, and at a certain point… they’re just asking the wrong person. Your webhost is not your consultant. While many times we can and will fix the site, when it gets down to code that isn’t working, we can’t be expected to re-write all the code.

Sometimes we’re going to be the bearers of bad news. Your theme is hacked. Your plugin is vulnerable. Your code won’t work on this server because of reasons. We’re never making an excuse, but we are trying to explain to you why things happen.

Now I know I’m a little weird, because I think that everyone should be educated in how their site works. Not that I think they need to learn to code, but to understand what’s going on, in broad terms, means you’ll be able to help us help you fix your site. And with that, I expect people to actually listen to what the support techs say. We won’t always be right, especially not with WordPress which has infinite combinations of plugins and themes (it’s a mathematical impossibility to be able to be familiar with everything) but for the most part, we are all trying to learn to be better and faster at debugging.

But. What do you do when the person you’re trying to help insists on hurting themselves? Like the person with the hacked theme, maybe you’re lucky and your company has a policy that once you know something is malware, you’re legally not permitted to reinstall it. But what if they decide to use a plugin that has a maybe backdoor, like an older version of TimThumb? How big a deal is that? Is it better or worse than helping someone do something that will absolutely kill their SEO?

For me, it’s pretty simple. My company does have a no-malware policy, and I can fall back on that. When I volunteer, I often tell people “I will not assist you in doing something I don’t feel is right.” and I walk away. Because I feel strongly that I should educate you, but also that I should never enable you to hurt your site.

4 replies on “Don’t You Give That Girl a Gun”

I don’t agree with your decision tree here.
Since your company has a policy, you should have informed the customer beforehand and given him the choice to walk (probably no money back) or let you do what you did.

@Mike: He had asked us to ‘fix’ the site. There was a lot more to the conversation but in essence the customer had ‘hired’ us to fix it, and we did. It’s not the same as if you’d hired say a security firm just to clean the site, but we had written arrangements to do exactly what I did, with the caveat of if I can’t fix it, I have to remove the theme/plugin (since I knew I could fix core). So yeah, he had the choice of fix or remove the whole thing and went with fix and was upset that it wasn’t all that. The whole policy is complicated.

I thought I might be commenting on something out of context.

I was fired by a client once – he lost his internet and I discovered on premises that his power cord was sliced and dangling inches from our legs. He was angry because I told his wife.
He was a famous laser back surgeon and over 80 so I thought I did the right thing.

@Mike: You did the right thing. It’s like the guy who was mad we called him on the number he provided to remind him to pay his hosting fees. He was livid we called because his wife answered. I totally understand why he was mad, but this was the agreed upon situation. Not liking something doesn’t make it wrong.

Comments are closed.